Announcement

Collapse
No announcement yet.

Group Policy Problem (event id 1030 & 1058)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group Policy Problem (event id 1030 & 1058)

    I saw some threads dealing with the same event IDs but nothing that applied specifically to the behavior I'm experiencing. Sorry if this has been answered but I just didn't come across it.

    I recently upgraded our 2000 domain controller to 2003 enterprise. I've also added SBS 2003 w/ exchange 2003 to the AD, also as a domain controller (so I'll likely have some Exchange questions but I'll save that for a different post).

    When I create a new user object in AD and attempt to logon with that user I get the "The local policy of this system does not permit you to logon interactively". Unfortunately it's not just one machine. I get the error any time I try to login to the domain with the newly created account.

    Strange observations:
    I'm getting the aforementioned event IDs on the main DC.
    The main DC (the one w/o exchange) doesn't have the Group Policy Management console, or the Domain Controller Security Policy console. I've reinstalled the support tools several times as well as the adminpak. These are on the exchange server.

    GPM on the exchange server says there's inconsistencies in permissions on the GPO and asks if I want to change the permissions in SYSVOL to match AD. I'd think I should click OK but I'm paranoid I'll overwrite some AD permissions. Is this the way to go?

    What am I missing?

    If more information is needed I'll be happy to post it. I've tried a million different things and read several KB articles so I'm trying to sum up as best I can.

    Proven e-Commerce Solutions
    340 N. 12th St.
    Suite 200
    Philadelphia PA 19107

  • #2
    The symptoms match a corrupt default domain policy. If GPMC offers to correct it for you, that is probably a good move. Check that the permissions include Authenticated Users: read & apply policy

    Comment


    • #3
      Well, earlier today I bit the bullet and agreed to let GP fix things for me. It seems to have worked a bit. Some of my exchange problems seem to have gone away now that the "fixes" to AD have propagated.

      I refer to them as "fixes" because I'm still having some issues.

      wkasdo, Authenticated Users do have access but it's Read only. I don't see apply as an option. Maybe you meant 'edit'? Authenticated Users are listed under the "Security Filtering" field on the scope tab in GPM for both the Default Domain Policy and Default Domain Security Policy.

      What I'd really like to do is not only understand how to fix the issues I'm having but figure out how they got this way. I suspect I did something in the wrong order. It also seems like FRS is throwing some errors about a test domain that no longer exists (domain.local). I've run ntdsutil in vain. There are no errant domains listed in the metabase from what I can see.
      The event viewer msgs look like so:
      Code:
      The File Replication Service is having trouble enabling replication from MERCURY to INTERNAL-DC for c:\winnt\sysvol\domain using the DNS name MERCURY.internal.weblinc.com. FRS will keep retrying. 
       Following are some of the reasons you would see this warning. 
       
       [1] FRS can not correctly resolve the DNS name MERCURY.internal.weblinc.com from this computer. 
       [2] FRS is not running on MERCURY.internal.weblinc.com. 
       [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. 
       
       This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
      13508 is the corresponding event ID. Sometimes I get these but then they're followed by recovery notices so maybe it's not an issue. I blamed these errors on the fact that (for now) the server is sharing a 10mbps hub w/ some other text boxes and FRS was just erroring out b/c of slow connections. this obviously won't be an issue in production.

      wkasdo, thanks for the help. still looking to resolve these few AD issues. I'll also start posting in the Exchange forum now that I'm getting further with that. Since the two are so closely tied it's hard to tell where the root of the problem is.

      Proven e-Commerce Solutions
      340 N. 12th St.
      Suite 200
      Philadelphia PA 19107

      Comment


      • #4
        OK folks, looks like the FRS problems have dropped off. I'm still having issues when I create a new user. Still can't logon to the domain unless I add the user to the Domain Admins group.

        Any clues? I don't even know where to begin troubleshooting this one as I'm quite obviously a novice at AD.

        Proven e-Commerce Solutions
        340 N. 12th St.
        Suite 200
        Philadelphia PA 19107

        Comment


        • #5
          Re: Group Policy Problem (event id 1030 & 105

          Originally posted by LincFu
          I recently upgraded our 2000 domain controller to 2003 enterprise. I've also added SBS 2003 w/ exchange 2003 to the AD, also as a domain controller (so I'll likely have some Exchange questions but I'll save that for a different post).
          How have you added SBS to existing AD ???
          SBS can not be joined to existing AD as additional DC.
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            How have you added SBS to existing AD ???
            SBS can not be joined to existing AD as additional DC
            That's what I thought, but I didn't know enough of SBS to say so for sure... Would be nice to know what happened here.

            > Still can't logon to the domain unless I add the user to the Domain Admins group

            Well... that's normal for ordinary users logging on to Domain Controllers; that's not allowed. Just thought I'd mention it since you did not specify what you are logging on to

            Comment


            • #7
              hahaha!

              I just realized this as well by doing some searching in the SBS forums. I made the appropriate adjustments in AD by making the server running SBS the PDC. What's even better is it looks like my user creation problem is fixed. Excellent, since now I can remove these extraneous users from the Domain Admins group.

              Now, this begs the question... Does the machine running SBS have to be the RID and Infrastructure operations master as well? Or can I leave these roles to the other (now BDC) domain controller?

              Proven e-Commerce Solutions
              340 N. 12th St.
              Suite 200
              Philadelphia PA 19107

              Comment


              • #8
                Spoke too soon. Looks like I had added my test user to 'Domain Admins'. After making SBS my PDC and attempting a logon I thought that had fixed the problem. I'm trying to logon to the domain. Any workstation or server, doesn't matter I get the error I mentioned in my original post about local policy not permitting the user to logon.

                So I'll ask again. Does the SBS need to be the operations master under all 3 tabs (PDC, RID and Infrastructure) or is everything cool so long as SBS is the DC?

                I also noticed something fishy while looking at my domain properties. It seems that the domain's functional level was appropriately raised to Windows 2003 but the forest functional level is still Windows 2000. Going to fix this and see what happens. I'm not supporting any NT so it shouldn't be a problem.

                Proven e-Commerce Solutions
                340 N. 12th St.
                Suite 200
                Philadelphia PA 19107

                Comment


                • #9
                  Here's a screenshot of the "Allow logon locally" properties from gpedit.msc. Everything I've found through google is saying altering this setting in gpedit will fix my problem. On the one hand I suppose it makes a little sense. However, the Domain Users group is already assigned this policy. Everyone is a Domain User at the very least. So when i create a new user they should iinherit this privilege from their group membership.

                  What's even more messed up is that the 'Add User or Group' and 'Remove' buttons are greyed out. I doubt this is a result of my user membership unless it's a conflict somewhere. As far as I know I've got permissions to pretty much everything (Domain Admins, Enterprise Admins etc).

                  The greyed out boxes show up in most of the items under User Rights Assignment. I'm guessing these are being inherited somehow and that's why I can't edit them. Where they are coming from I don't know. Anyone?

                  While I'm at it, should I start a different thread for this?
                  Attached Files

                  Proven e-Commerce Solutions
                  340 N. 12th St.
                  Suite 200
                  Philadelphia PA 19107

                  Comment


                  • #10
                    OK, once again, nevermind. Geez I feel stupid. Looks like I was looking in the wrong place. My GP settings were definitely out of sync. I think I've fixed it now. Looks like I've got this user thing under control. Now it's time to start posting in the Exchange server forum and get some of my questions about exchange answered. Thnax folks.

                    Proven e-Commerce Solutions
                    340 N. 12th St.
                    Suite 200
                    Philadelphia PA 19107

                    Comment


                    • #11
                      Just out of curiosity, can you say what OS versions your DCs are running ?
                      I'm still puzzled with the SBS thing...
                      Guy Teverovsky
                      "Smith & Wesson - the original point and click interface"

                      Comment


                      • #12
                        Well I've come to the conclusion that there's still an NT 4 DC hiding out. We have 2 domains, 'weblinc' and 'internal'. Mostly we're working in the internal domain. Everyone logs into this and that's where all of our web devlopment and DB servers live.

                        There's a trust relationship between the domains. At first I didn't think anything of it. Even though we're not really using 'weblinc' I didn't want to remove it for fear of a problem. Worst case, we'd operate in mixed mode. But now that I realized the DC (and only server left in that domain) is NT4, we have a problem.

                        One of two routes are possible from here. The best thing, and what I'd really like to do is use the ADMT to migrate users and groups off the NT4 machine and into the 2003 domain. This would eliminate NT4 throughout the organization once and for all... weird, that sounded kind of genocidal

                        Another solution would be to setup another machine in the weblinc domain, running 2000 server. Then migrate the users there and maintain the trust relationship.

                        The trust is causing the biggest problem. it would have been confusing enough but the fact that the domain controller is NT4 it's a complete mess.

                        Incidentally, I tried to start the migration and one thing that already seems troublesome is that I don't see HKLM\System\CurrentControlSet\Control\LSA\TcpipCli entSupport on the source domain as per this MS KB. Of course, the article only claims to related to win2k or 2k3. Anyone have a link to a more relevant KB? Or am I forced to go NT->2000->2003?

                        Proven e-Commerce Solutions
                        340 N. 12th St.
                        Suite 200
                        Philadelphia PA 19107

                        Comment


                        • #13
                          event ID 1030 &1058

                          Hi Guys,

                          i have not exactly the same constallation like you guys but maybee you can help me.

                          i installed in our 2003 AD Domain a Backup (secondary) domain controller and everything worked fine. Than i installed also a secondary DNS Server. Everything worked fine until this morning, when i looked in the event log. I saw so many event ids with 1030 and 1058. Something i going on after the installing the Backup Server.

                          Do you have an idea what i can do?

                          id 1030:

                          Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.


                          id 1058:

                          Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=EbeyeSDA,DC =local. The file must be present at the location <\\EbeyeSDA.local\sysvol\EbeyeSDA.local\Policie s\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.



                          i checked allready if the ad is available like this:

                          \\ebeyesda.local\SYSVOL\EbeyeSDA.local

                          positiv. i have access.


                          what can i do?

                          Comment

                          Working...
                          X